Skip to content
Snippets Groups Projects
Commit 329c020e authored by catch's avatar catch
Browse files

Issue #2822499 by klausi: CsrfTokenGenerator should use timing attack safe string comparison

parent 5112179b
No related branches found
No related tags found
2 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10
Hide whitespace changes
Inline Side-by-side
core/lib/Drupal/Core/Access/CsrfAccessCheck.php
+ 1
1
View file @ 329c020e
......@@ -54,7 +54,7 @@ public function access(Route $route, Request $request, RouteMatchInterface $rout
$path = str_replace("{{$param}}", $value, $path);
}
if ($this->csrfToken->validate($request->query->get('token'), $path)) {
if ($this->csrfToken->validate($request->query->get('token', ''), $path)) {
$result = AccessResult::allowed();
}
else {
......
core/lib/Drupal/Core/Access/CsrfTokenGenerator.php
+ 1
1
View file @ 329c020e
......@@ -87,7 +87,7 @@ public function validate($token, $value = '') {
return FALSE;
}
return $token === $this->computeToken($seed, $value);
return Crypt::hashEquals($this->computeToken($seed, $value), $token);
}
/**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment